[00:16.030 --> 00:20.270]  This is Cheerio presenting indicators of immunization.
[00:20.270 --> 00:23.950]  And with that, I will let Cheerio take it away. Thank you.
[00:24.750 --> 00:28.130]  Hi, everyone. Thanks so much for coming here.
[00:28.130 --> 00:31.530]  So let's jump right in.
[00:32.570 --> 00:38.330]  So really quick, I am not speaking on behalf of any of my employers.
[00:38.570 --> 00:41.610]  Everything I say is basically my opinion
[00:41.610 --> 00:45.210]  and not necessarily that of my employer.
[00:45.210 --> 00:48.030]  So now that we have that out of the way,
[00:48.030 --> 00:52.910]  I'm going to do a TLDR on this and basically tell you that this talk
[00:52.910 --> 00:57.830]  is about taking the Windows command line arguments and PowerShell
[00:57.830 --> 01:02.910]  and seeing what the heck we can do with it as a cyber threat intelligence professional
[01:02.910 --> 01:07.870]  to provide to other teams in the organization.
[01:07.870 --> 01:12.330]  So that basically sums up my talk in about a sentence.
[01:12.570 --> 01:18.930]  So if you're interested in playing along, stick with me.
[01:20.510 --> 01:26.050]  So Katie Kuzianovic, and I apologize, I probably didn't pronounce that right.
[01:26.050 --> 01:30.170]  I'm sorry. Her DerbyCon 8 presentation.
[01:30.170 --> 01:35.570]  And she said that blocked data is the glitter of the TI data world.
[01:35.570 --> 01:40.690]  And so ever since DerbyCon 8, that's kind of really stuck with me.
[01:40.730 --> 01:44.910]  And in the spirit of the discovery theme this year for DEF CON,
[01:44.910 --> 01:48.850]  I decided, hey, why not explore this a little bit further
[01:48.850 --> 01:53.770]  and see what I can do with actual blocked data
[01:55.230 --> 01:59.930]  and see how I can extract intelligence and information
[01:59.930 --> 02:02.490]  to be able to feed to different teams.
[02:02.490 --> 02:12.670]  So fast forward about 13 months, and I go to Matt Kelly's B-Side Chicago talk in 2019.
[02:12.670 --> 02:18.730]  And it was a great presentation on threat emulation, adversary-focused red teams.
[02:18.730 --> 02:25.690]  And in it, he gave a really interesting graph and information about some ideas
[02:25.690 --> 02:31.870]  as far as how threat intelligence can help feed red teams and adversary emulation.
[02:31.870 --> 02:33.870]  So that kind of stuck with me.
[02:34.070 --> 02:38.730]  Then fast forward another five months, and I reached out to Bryce and Bort
[02:38.730 --> 02:43.170]  because over at Psy, they have something called a marketplace.
[02:43.230 --> 02:50.610]  And basically, it's, you know, I'm going to paraphrase horribly, so please forgive me.
[02:50.890 --> 02:56.610]  It's like a thing for researchers to research threat actors out there
[02:56.610 --> 03:05.130]  and then help build out some of the adversary emulation that they have, right?
[03:05.130 --> 03:08.890]  So I'm like, oh, that sounds so fascinating. I want to get involved.
[03:09.070 --> 03:13.070]  And so Bryce got me in touch with Adam Maschini, and I apologize.
[03:13.070 --> 03:15.690]  I may have pronounced that wrong. Please forgive me.
[03:16.470 --> 03:21.890]  And he pointed out that there were a lot of threat intel reports with Linux commands,
[03:21.890 --> 03:25.750]  Linux-related commands, but there wasn't too much with Windows.
[03:25.750 --> 03:30.810]  So I decided that semester I was doing a malware analysis course,
[03:30.810 --> 03:34.430]  and I'm like, huh, this would be a really interesting project to take on
[03:34.430 --> 03:40.750]  and see just what it's about and where it will lead me, right?
[03:40.750 --> 03:49.310]  So I'm like, okay, so I will just enable Windows command line logging, and it's just easy.
[03:49.310 --> 03:58.430]  So what I did is I got a VM, and then I figured out how to turn on the logs and all of that, right?
[03:59.970 --> 04:03.870]  Disable all the security stuff, especially the smart screen.
[04:03.870 --> 04:08.050]  And God, it was so much disabling of so much security, it was crazy.
[04:08.090 --> 04:11.690]  And I just want to do a shout out to Microsoft Windows.
[04:11.790 --> 04:14.570]  Like, I cannot tell you how hard it was for me,
[04:14.570 --> 04:22.750]  like how many things I had to disable and go through in order to execute malware on the VM.
[04:22.750 --> 04:27.030]  It was crazy. I'm like, holy crap, they do a really good job.
[04:28.170 --> 04:33.350]  Like, yeah, I mean, just try. It's involved.
[04:34.590 --> 04:37.770]  So what I did, too, is I created a baseline.
[04:38.150 --> 04:42.970]  So Windows command line logging, if you look over it, you're like,
[04:42.970 --> 04:45.790]  what the H is that, right?
[04:45.830 --> 04:50.130]  So before introducing malware into the environment,
[04:50.130 --> 04:54.890]  I decided to just watch the command line a little bit and get a better understanding,
[04:54.890 --> 04:58.570]  because Defer isn't my 24-7 life, right?
[05:00.530 --> 05:07.870]  And also, too, since I did it for a doctoral class, I decided, well, let's get a control, too.
[05:07.870 --> 05:11.250]  You know, kind of make it an experiment so that I can have the control,
[05:11.250 --> 05:17.790]  and I can have malware samples in the wild and kind of see what it is that's going on.
[05:17.790 --> 05:21.970]  So I was like, how do I create a control? I don't know how to make malware.
[05:22.190 --> 05:24.890]  So I don't know how to do all that stuff.
[05:24.890 --> 05:27.170]  So there were three options that I found.
[05:27.650 --> 05:32.710]  One was making a quote-unquote test malware, which I'll share with you on the screen there.
[05:32.710 --> 05:35.610]  You can see it on the left.
[05:35.610 --> 05:41.830]  Basically, I took Sector 7's Red Team Operator Malware Dev course.
[05:42.130 --> 05:47.710]  And, of course, he doesn't just have StartCalc in his class,
[05:47.710 --> 05:56.610]  but that gave me the idea to just compile a C++ program and have it StartCalc.
[05:56.610 --> 05:59.830]  Really benign. The code's right up there.
[05:59.870 --> 06:03.010]  And see if it actually works, right? And it did.
[06:03.010 --> 06:05.530]  Another option was Atomic Red Team.
[06:05.970 --> 06:11.510]  So they did such a fabulous job at spelling out how to install it, how to get it done.
[06:11.510 --> 06:16.390]  It was so quick. I just put in a couple commands, and it was done,
[06:16.390 --> 06:20.330]  and I could run the different PowerShell things to ensure the PowerShell logging
[06:20.330 --> 06:22.410]  and all that stuff was set up correctly.
[06:22.590 --> 06:26.430]  And then the final option is just to manually enter the commands myself.
[06:26.830 --> 06:32.790]  So I did all of that, and then I'm like, where am I going to get all this malware from?
[06:33.470 --> 06:41.870]  So I tried any run, you know, you change the extension from bin.bin to .exe,
[06:41.870 --> 06:45.770]  and didn't really get anything.
[06:45.770 --> 06:50.270]  And I'm like, well, is the malware dysfunctional?
[06:50.270 --> 06:56.110]  Like, is it not working? Or is it, you know, anti-VM stuff?
[06:56.110 --> 06:58.470]  Like, defense evasion? What's going on?
[06:58.470 --> 07:00.630]  Or is it me? Am I just not clicking enough?
[07:00.630 --> 07:02.830]  Or who knows what, right?
[07:02.830 --> 07:05.770]  The security person in me is like, don't click!
[07:05.950 --> 07:09.530]  So I was like, okay, I don't know what's going on with that.
[07:09.530 --> 07:14.790]  And then I tried a malware hybrid analysis, and then malware bizarre as well,
[07:14.790 --> 07:16.370]  and I didn't have any luck.
[07:16.370 --> 07:18.090]  So I'm like, what is going on?
[07:18.090 --> 07:20.570]  So finally, I was just like, screw it.
[07:20.570 --> 07:27.210]  I am just going to URL house, taking the most recent, like, posting that people submitted,
[07:27.210 --> 07:32.570]  and going to the actual attacker's domain and pulling down the malware myself,
[07:32.570 --> 07:38.170]  so that it's fresh, and so that I know that it's not user error,
[07:38.170 --> 07:40.450]  or who knows what else, right?
[07:40.850 --> 07:43.930]  And I tried multiple other malware repositories.
[07:43.930 --> 07:48.250]  I was like, why is this not executing? Or what's going on, right?
[07:48.250 --> 07:50.610]  And here's a funny story.
[07:50.610 --> 07:55.130]  Someone told me to go talk to Bleeping Computer and ask them.
[07:55.130 --> 07:58.390]  I'm like, yeah, that's probably a bad idea.
[07:58.650 --> 08:02.910]  Anyways, so that was a really fun story.
[08:03.490 --> 08:10.450]  So I put up here some of the results of the tests when I pulled the malware myself,
[08:10.450 --> 08:12.830]  from the actual source.
[08:13.190 --> 08:19.950]  And as you can see, like, you know, some of them gave me command line arguments
[08:20.570 --> 08:23.850]  beyond the initial execution of the binary.
[08:23.850 --> 08:26.390]  Some of them didn't, most of them didn't.
[08:26.390 --> 08:31.370]  So I'm like, huh, why? What is it doing?
[08:31.450 --> 08:34.210]  So then I'm like, oh, there's static analysis.
[08:34.510 --> 08:39.090]  So then I download Ghidra, and of course, IDA and all of that.
[08:39.090 --> 08:42.650]  And I'm like, wait, I don't really know how to use this very well.
[08:42.650 --> 08:47.350]  So Joe Slowik, he's like the meme master.
[08:47.350 --> 08:49.050]  He's awesome.
[08:49.050 --> 08:53.190]  He recently posted something with a guy trying to drink water,
[08:53.190 --> 08:55.710]  and he's like, drink water like this?
[08:55.710 --> 08:58.390]  You know, like, that's how I felt.
[08:58.390 --> 08:59.630]  It was so bad.
[08:59.630 --> 09:05.570]  I'm like, oh, my God, like, the learning curve on that is just a little bit more
[09:05.570 --> 09:07.150]  than I'm willing to invest right now.
[09:07.150 --> 09:07.870]  I will.
[09:07.870 --> 09:14.130]  It's just I wanted to get through this and make it accessible to as many people as possible.
[09:14.130 --> 09:19.430]  So I decided to move on with my life and try something else.
[09:19.430 --> 09:26.130]  So SANS Defer Summit 2020, actually July, not too long ago,
[09:26.790 --> 09:30.590]  you know, about five months after the Brace and Bort meeting,
[09:31.070 --> 09:35.930]  I spoke with Michael Gao, Mr. Malware Archaeology.
[09:35.930 --> 09:37.410]  He is super awesome.
[09:37.410 --> 09:41.630]  He did the command line logging cheat sheets.
[09:41.630 --> 09:43.810]  I don't know if you're familiar with those.
[09:43.810 --> 09:45.850]  They have just a wealth of information.
[09:45.850 --> 09:47.910]  And I told him some of the problems I was having.
[09:47.910 --> 09:50.470]  And I'm like, what's wrong with me?
[09:50.770 --> 09:58.150]  And he suggested to just buy a computer and, like, bypass all of the anti-analysis stuff.
[09:58.150 --> 10:02.930]  And I was like, oh, my gosh, I, like, never would have thought of that.
[10:02.930 --> 10:05.510]  Never, like, in a gazillion years.
[10:05.510 --> 10:13.870]  So I bought two computers, but not willingly.
[10:14.150 --> 10:16.510]  So the first one I bought was dead on arrival.
[10:16.510 --> 10:21.790]  And I'm like, I'm like, I don't have time to try to troubleshoot this.
[10:21.790 --> 10:24.150]  It's actually still sitting right next to me.
[10:24.150 --> 10:27.210]  So then I bought another one that was delivered the next day.
[10:27.210 --> 10:29.450]  And that one actually worked.
[10:29.450 --> 10:30.570]  Thank God.
[10:31.930 --> 10:41.130]  So some of the results of that, as you can see, I had, I picked one random sample.
[10:42.130 --> 10:52.450]  And threw it into a couple of different sandbox solutions to see the difference between the command line arguments that I would get from all these different solutions, right?
[10:52.450 --> 10:56.550]  The one in the upper left-hand corner, virus total, as you can see.
[10:56.550 --> 11:01.210]  Oh, okay, so we got the initial binary executing.
[11:01.210 --> 11:02.190]  Cool.
[11:02.190 --> 11:02.990]  Okay.
[11:02.990 --> 11:06.490]  So cape up in the right-hand corner.
[11:06.490 --> 11:07.590]  Okay.
[11:07.590 --> 11:11.510]  And then Joe sandbox, holy crap, that's a lot of stuff.
[11:11.730 --> 11:25.490]  But then what I got, I got 70-something pages of command line arguments and PowerShell commands and all of that from this one particular sample.
[11:26.470 --> 11:28.030]  Here's just some of it.
[11:28.030 --> 11:35.950]  Some of it looks like it could be useful for potential adversary emulation exercises, potentially.
[11:37.190 --> 11:45.210]  So the funny thing about this, so I decided to do a little bit of research on the Raccoon Stealer.
[11:45.210 --> 11:49.210]  And I came across a Cyber Reason blog on this.
[11:49.210 --> 11:58.670]  And they said, oh, yeah, one of the main complaints about it by criminals is that it has a very low success rate of 45%.
[11:58.670 --> 12:07.130]  So as I was going through on my actual real computer, not a VM, it asked me to install the .NET framework.
[12:07.130 --> 12:18.230]  And I'm like, you know, that's a lot of work for the average user to install this so that you can read an invoice or whatever.
[12:19.870 --> 12:24.610]  I'm like, no wonder why it has a low success rate. At least that's my understanding of it.
[12:24.610 --> 12:29.710]  And I didn't really find that anywhere in a lot of the blogs that I read.
[12:29.710 --> 12:34.150]  So definitely it's a huge advantage that now I know this.
[12:34.150 --> 12:44.970]  Now it requires me, in order for this particular variant of Raccoon Stealer to work, I have to install the .NET framework of that version.
[12:44.970 --> 12:58.910]  So if your enterprise computers, whatever, aren't using that and would require the installation of that particular .NET framework,
[12:58.910 --> 13:02.690]  then this particular variant would be a really low threat to you.
[13:02.690 --> 13:06.170]  So you wouldn't necessarily need to proceed with analysis.
[13:06.290 --> 13:09.570]  But here's a little fun tidbit.
[13:09.570 --> 13:14.830]  So as I was going along, I got a little pop-up video and it said, Nyan Cat.
[13:14.830 --> 13:17.970]  Like, who doesn't love Nyan? Nyan Cat, right?
[13:17.970 --> 13:21.530]  I'm like, Pop Tarts? Cats? Rainbows? Sure.
[13:21.890 --> 13:27.730]  So it said, make this connection available for all users or my use only.
[13:27.830 --> 13:30.590]  And I was like, oh, I don't know what to do.
[13:31.330 --> 13:34.530]  You know, of course, I did this safely, on and on and on.
[13:34.530 --> 13:42.170]  So I was like, you know what? I'm just going to roll with it and click OK and see what happens.
[13:42.170 --> 13:48.250]  And so I was really excited. I was hoping like, you know, CrowdStrike came to mind.
[13:48.250 --> 13:58.450]  I'm actually wearing one of their shirts where the activity of actors, how quick they are to jump on connections and stuff like that.
[13:58.450 --> 14:09.310]  So I was waiting and waiting and I'm like, you know, excited because I'm expecting like, you know, something, something to happen, anything to happen.
[14:09.310 --> 14:15.990]  And hours later, still nothing. And I'm like, all right, like, I have to move on with this.
[14:15.990 --> 14:22.170]  But it was fun and exciting for a little bit, like waiting. It was good.
[14:22.170 --> 14:31.930]  And another thing, because it dropped files in the temp directory, I was like, oh, well, let's just go look there for fun and see what happens.
[14:31.930 --> 14:37.910]  Right. So one of them was disable Windows Defender. I'm like, oh, that looks nasty.
[14:37.910 --> 14:41.690]  So I threw it up into VirusTotal and it was nasty.
[14:41.690 --> 14:54.070]  So, you know, yeah. So that was that particular sample, because I'm assuming a lot of places have Windows 10.
[14:54.230 --> 14:57.910]  Without the .NET framework, I'm like, meh.
[14:58.270 --> 15:11.310]  So then last night at 5.15pm Pacific Standard Time, like yesterday, like literally yesterday, less than 24 hours before my talk,
[15:11.710 --> 15:20.370]  a friend contacted me and said that his company was willing to let me look at their junk data to go through this as an example.
[15:20.370 --> 15:25.090]  So I'm like, cool. Like, yeah, like, I'll totally do that.
[15:25.410 --> 15:32.670]  But can I do it or can I not do it for, you know, prepping in less than 24 hours to analyze this?
[15:32.670 --> 15:41.390]  Well, let's see. Like, it's not unrealistic for enterprise and corporate America for you to get off the wall like crazy ass, you know, last second.
[15:41.390 --> 15:46.390]  So I'm like, why not? Let's do this. You only live once, right? YOLO.
[15:46.750 --> 15:55.390]  So I got the sample and I tried to make it as realistic as possible, like pretending your boss comes to you and says, I need this yesterday.
[15:55.390 --> 16:06.430]  So, you know, and let's say that, I don't know, whatever, I just did the sandbox stuff, OPSEC, blah, blah, blah.
[16:07.810 --> 16:16.490]  So do whatever you do with your organization, whatever, right? Everyone has different things that they can and can't do.
[16:16.490 --> 16:24.790]  So with this sample, I loaded it to any run and VirusTotal already had an entry, and then I loaded it to Malware Bazaar.
[16:24.910 --> 16:29.750]  And the wonderful thing about Malware Bazaar is that I get extra stuff.
[16:29.750 --> 16:34.410]  So I load it to Malware Bazaar, I get Joe Sandbox, and I get Cape.
[16:34.410 --> 16:48.310]  And Cape took a while, like I had to wait until the morning, like probably around 1 p.m., which would be what, 11, 11, yeah, 11 a.m. Pacific time.
[16:48.570 --> 16:53.270]  So to look at the results of those, so I just went with what I had.
[16:53.330 --> 17:03.730]  And, of course, the threat Intel and me knowing that this came from an actual company, you know, I wanted to share additional context with the person that sent it to me.
[17:03.730 --> 17:13.010]  So I'm like, oh, you know, according to VirusTotal, it does a callout with the DNS traffic to a Nigerian-based hosting company, and I pivoted off that.
[17:13.310 --> 17:19.710]  And I ended up creating a custom rule for a YARA rule for this particular company.
[17:19.730 --> 17:27.070]  And interestingly enough, that particular DNS callout was only associated with four other files.
[17:27.070 --> 17:35.870]  So I did a diff on it and then shared the particular YARA rule that was associated with that and passed it off to my contact.
[17:36.450 --> 17:43.570]  And so then I go to MITRE ATT&CK, right, and I'm like, oh, MITRE ATT&CK will save the day.
[17:44.070 --> 17:46.310]  They'll have something on Hawkeye.
[17:46.310 --> 17:48.550]  That's what the sample ended up being.
[17:48.550 --> 17:55.550]  And then I go to MITRE ATT&CK, and I'm like, no, they don't have it up there yet.
[17:55.550 --> 17:57.630]  Why? My God, why?
[17:57.790 --> 18:01.010]  So I'm like, okay, what do I do next?
[18:01.010 --> 18:04.110]  And this is kind of realistic, you know.
[18:04.430 --> 18:12.870]  So then I'm like, well, let's try to create a repeatable process for this since I have such a short amount of time to make this doable.
[18:12.890 --> 18:24.890]  And I decided to just use MITRE ATT&CK's framework anyways and analyze it and tactics to guide the research as far as what to look at.
[18:24.890 --> 18:32.150]  And this is from Joe Sandbox, an output of all the different MITRE ATT&CK variants, right?
[18:32.150 --> 18:48.690]  But we want specifics, because if I just say native API or process injection or WMI to the red teamers, they'll be like, okay, great.
[18:48.690 --> 18:55.190]  So I decided to go a little bit of digging.
[18:55.590 --> 19:03.950]  And with this, the initial access, it was an email with an XE attachment.
[19:04.290 --> 19:09.550]  And the subject said, invoice detached, invoice attached, right?
[19:09.550 --> 19:15.190]  And another thing with this particular sample, it can propagate via USB.
[19:15.190 --> 19:23.650]  So I didn't want to, you know, get too friendly with it, if you know what I mean.
[19:24.050 --> 19:34.850]  The other good thing, though, is that this particular sender was not a third party recipient or was not a third party of the recipient of the particular email.
[19:35.270 --> 19:41.530]  And I really love how they set up their attached is the reverse invoice.
[19:41.530 --> 19:47.670]  So obviously, they might not necessarily have the best English.
[19:47.770 --> 19:55.490]  I went to one of the domains that was in the email on the upper right-hand corner, the big yellow thing.
[19:55.490 --> 19:58.930]  That was the FPE2000.it.
[20:00.230 --> 20:02.250]  Not too exciting.
[20:02.250 --> 20:10.130]  And then at the bottom is the actual, like, domain from the sending organization.
[20:10.130 --> 20:17.970]  So I'm not going to comment further on that, but malicious XEs are coming from there.
[20:18.310 --> 20:21.630]  And it happens to be from Nigeria, too.
[20:21.630 --> 20:33.530]  So the sender, a company from Nigeria, and DNS call-up to Nigeria that gave me four other samples that were malicious.
[20:33.530 --> 20:36.390]  So execution.
[20:36.390 --> 20:45.910]  Obviously, we have user execution of a malicious file, which is the T1204.002.
[20:45.910 --> 20:47.590]  So we have that.
[20:48.090 --> 20:50.710]  And then we have WMI.
[20:50.710 --> 21:01.990]  So specifically, what it is about WMI is that it checks if the AV antivirus firewall program is installed.
[21:01.990 --> 21:08.290]  As you can see here, it has select from antivirus product, select from firewall product.
[21:10.250 --> 21:13.390]  And with this, I used it as an experiment.
[21:13.390 --> 21:19.450]  And here's the process that I came up with that I repeated for each and every single tactic.
[21:21.610 --> 21:26.010]  Basically, I look at Joe's sandbox and the MITRE attack section.
[21:26.010 --> 21:33.390]  And then I look at the specific entry in Joe's sandbox, as far as the detailed information you can see there in that picture.
[21:33.670 --> 21:40.430]  And then I go to Atomic Red Team to see if they have the particular technique available.
[21:40.430 --> 21:44.630]  And I look at the YAML contents of that particular file.
[21:44.630 --> 21:47.970]  And then I Google what isn't there.
[21:47.970 --> 21:51.200]  So here's an example of that.
[21:51.510 --> 21:54.030]  So Atomic Red Team has...
[21:54.030 --> 22:02.050]  When I looked for the T1047 for the WMI, I didn't find specifically what I was looking for.
[22:02.050 --> 22:11.610]  But later, like a lot later in the process, I found what I needed in T1518.001.
[22:11.930 --> 22:14.750]  And put that right up there at the bottom.
[22:14.750 --> 22:20.310]  And then prior to that, I did a little bit of Stack Overflow searching.
[22:20.310 --> 22:23.910]  And also found a similar command. I don't know if it works or not.
[22:23.910 --> 22:26.730]  I would have to do testing on that.
[22:26.730 --> 22:32.110]  But I have that information available to provide to Red Team to cut down their research time.
[22:33.030 --> 22:35.550]  So next, we have the Native API.
[22:35.570 --> 22:39.990]  And specifically, this is related to .NET source code references.
[22:40.370 --> 22:44.470]  And I was like, what the heck do they mean by that?
[22:44.470 --> 22:47.090]  So I looked that up at the bottom.
[22:47.090 --> 22:51.590]  And as you can see, it comes from particular XEs.
[22:51.630 --> 22:56.410]  And I'm like, okay, so I searched through the whole analysis report.
[22:56.410 --> 22:59.630]  And it was still not helpful.
[22:59.810 --> 23:02.490]  So then I went to Atomic Red Team.
[23:02.490 --> 23:06.390]  And as you can see here, I put the big arrow.
[23:06.850 --> 23:12.490]  They have the .NET Framework version 4.0, whatever.
[23:12.490 --> 23:16.790]  And I searched that. And then I found a command line argument.
[23:16.790 --> 23:23.670]  But no qualifiers or information behind that.
[23:23.790 --> 23:28.190]  So there is an Atomic Red Team for it.
[23:28.190 --> 23:36.690]  But it doesn't necessarily state how to engage the different APIs and leverage those.
[23:36.690 --> 23:38.630]  But they're there.
[23:38.630 --> 23:42.270]  So I'm like, okay, I'll include that for context.
[23:43.130 --> 23:44.970]  Persistence is next.
[23:45.350 --> 23:54.110]  So one of the ways that this particular sample gets persistence is through trying to load missing DLLs.
[23:54.110 --> 24:00.850]  And I searched in the sandbox report and found that were WER fault?
[24:00.850 --> 24:02.870]  I don't know if I'm saying that right. Sorry.
[24:03.790 --> 24:06.730]  And I was like, oh, this is interesting.
[24:06.730 --> 24:08.850]  I'm like, interesting.
[24:08.850 --> 24:15.610]  I'm like, I wonder if that particular XE is actually legitimate or what's going on with it.
[24:15.750 --> 24:18.990]  So there was a hash for this particular sample.
[24:18.990 --> 24:21.110]  And I threw it into VirusTotal.
[24:21.110 --> 24:22.650]  And it came back clean.
[24:22.650 --> 24:26.610]  So I'm like, okay, well, that's interesting.
[24:27.790 --> 24:29.810]  Okay, so I'll put that down.
[24:29.810 --> 24:32.970]  There is an atomic test, but it's based on PowerShell.
[24:34.350 --> 24:37.210]  So next is Privesk.
[24:37.210 --> 24:42.090]  And it does include the previous DLL side loading technique that I had up there.
[24:42.090 --> 24:47.550]  Plus it also had process injection.
[24:47.550 --> 24:50.430]  So there was a lot of process injection with this one.
[24:50.430 --> 24:52.670]  And there's an atomic test for it, too.
[24:52.670 --> 25:01.250]  And below here, there was a command line argument down at the bottom related to process injection here.
[25:01.250 --> 25:06.130]  So I provided that as context for the red teamers.
[25:06.350 --> 25:07.550]  Defense evasion.
[25:07.550 --> 25:09.910]  It had a ton of defense evasion.
[25:09.910 --> 25:18.470]  Everything from invalid code citing, software packing, sandbox evasion, lots.
[25:18.830 --> 25:25.730]  And I pulled out the ones that might be helpful to emulation exercises.
[25:25.730 --> 25:27.650]  One was masquerading.
[25:27.650 --> 25:31.510]  So this one, it creates files inside the user directory.
[25:31.510 --> 25:40.030]  So when I looked up atomic red team, they didn't have information specific to that.
[25:40.030 --> 25:41.970]  There were a bunch of other tests.
[25:42.390 --> 25:45.570]  But that is the specific user directory.
[25:45.570 --> 25:50.570]  So I'm assuming they could take care of that.
[25:50.570 --> 26:00.110]  The next one, modify registry, stores large binary data to the registry and then it modifies the registry key.
[26:01.550 --> 26:04.370]  And hidden files and directories.
[26:04.370 --> 26:08.110]  There's key that's created or modified.
[26:09.990 --> 26:12.770]  And obfuscated files.
[26:12.770 --> 26:18.590]  So this one, I assumed that they were talking about the process environment block.
[26:18.590 --> 26:23.270]  Since that's pretty standard with the exploit dev.
[26:23.270 --> 26:28.710]  And trying to walk that in order to find the address of kernel 32 DLL.
[26:28.710 --> 26:32.190]  So I assume that's what the shell code was about.
[26:32.810 --> 26:37.970]  Especially here it says contains functionality to read the PEB.
[26:38.290 --> 26:41.630]  So that was just my educated guess.
[26:42.330 --> 26:44.310]  Regarding the shell code.
[26:44.990 --> 26:46.250]  Credentialed access.
[26:46.250 --> 26:47.510]  There was a ton of that.
[26:48.110 --> 26:50.330]  Credential dumping, all of that.
[26:51.350 --> 26:53.910]  Takes credentials from web browsers.
[26:53.910 --> 26:56.490]  There is an atomic test for that as well.
[26:56.610 --> 26:58.090]  And then discovery.
[26:58.270 --> 26:59.930]  There's a couple of different things.
[26:59.930 --> 27:01.170]  So process discovery.
[27:01.170 --> 27:03.230]  There's an atomic test available.
[27:03.610 --> 27:05.730]  Remote system discovery.
[27:05.730 --> 27:07.470]  Atomic test available.
[27:07.470 --> 27:09.770]  Atomic test for this as well.
[27:09.770 --> 27:11.390]  And I put it at the bottom.
[27:11.390 --> 27:13.450]  Machine GUID.
[27:14.250 --> 27:15.530]  Lateral movement.
[27:15.670 --> 27:19.190]  It has the replicate via USB.
[27:19.510 --> 27:22.670]  Obviously, yeah.
[27:23.150 --> 27:26.210]  I don't know if they're using it to pivot or whatever.
[27:26.210 --> 27:31.850]  It just seems like it's a standard stealer for credentials to use later.
[27:32.470 --> 27:34.630]  Credential collection.
[27:34.650 --> 27:39.050]  So key logging and then data from local system is another one.
[27:40.650 --> 27:42.170]  T1005.
[27:43.090 --> 27:46.690]  And then archived collected data.
[27:46.690 --> 27:52.910]  So with this, I'm assuming they meant that they would either compress or
[27:52.910 --> 27:55.210]  encrypt the data prior to exfil.
[27:55.210 --> 28:01.370]  So that's good info for the red teamers to use in their exercises.
[28:01.370 --> 28:04.990]  Of course, also, too, they take the clipboard data.
[28:05.530 --> 28:07.470]  Local e-mail collection.
[28:07.470 --> 28:10.730]  And there's an actual atomic test for this as well, too.
[28:11.390 --> 28:17.210]  And all of the specific folders that were accessed in order to get the
[28:17.210 --> 28:18.130]  contents.
[28:18.130 --> 28:19.410]  And I provide that.
[28:20.330 --> 28:21.930]  So C2.
[28:23.670 --> 28:25.230]  Encrypted channel.
[28:25.390 --> 28:31.210]  So I know that Jorge has the C2 matrix along with Bryce and Bort.
[28:31.210 --> 28:35.910]  And so they have a lot of different fun things that you can pick through to
[28:35.910 --> 28:38.410]  be like, okay, I need an encrypted channel.
[28:38.410 --> 28:42.990]  So that will be really easy for you to go through.
[28:43.730 --> 28:47.950]  And there is an atomic test available for these as well.
[28:48.510 --> 28:49.590]  Exfiltration.
[28:49.590 --> 28:55.010]  I assume that they exfil the encrypted or compressed data.
[28:55.070 --> 28:56.710]  So there is that.
[28:56.710 --> 28:58.830]  That's what I put as exfiltration.
[28:58.830 --> 28:59.490]  Impact.
[28:59.490 --> 29:04.430]  There doesn't necessarily seem to be an impact other than stealing creds and
[29:04.430 --> 29:06.830]  private information.
[29:06.830 --> 29:10.930]  So, you know, no ransomware type anything.
[29:10.930 --> 29:14.110]  And I wanted to add additional context as well.
[29:14.110 --> 29:20.830]  So I decided to look at the Yara rules that fired on this particular sample.
[29:20.830 --> 29:28.190]  And as you can see, there's consistent hits with this particular rule from
[29:28.190 --> 29:29.550]  Malware Bazaar.
[29:29.770 --> 29:32.070]  And then I decided to go digging a little bit.
[29:32.070 --> 29:34.790]  And I'm like, huh, what is this rule about?
[29:34.830 --> 29:39.430]  So I found a link to it on a GitHub.
[29:39.830 --> 29:42.350]  And same author, same all of that.
[29:42.350 --> 29:44.630]  And it looks like it was made in 2015.
[29:45.010 --> 29:51.290]  And it looks like they're using the same string of the holder mail.txt,
[29:51.290 --> 29:56.590]  which was also a command line argument, as you can see down here at the bottom,
[29:56.590 --> 29:58.690]  since at least 2015.
[29:58.710 --> 30:04.930]  So I'm like, oh, that would probably be good to include in the emulation exercise
[30:04.930 --> 30:08.590]  since that hasn't changed in, what, five years?
[30:09.210 --> 30:16.090]  The other thing is so the HTTP traffic doesn't have a header,
[30:16.090 --> 30:21.910]  I have different examples here of files written and then the process tree too,
[30:21.910 --> 30:28.770]  if they want to try to emulate that as well for, like, security tools
[30:28.770 --> 30:31.590]  and all of that for detection purposes.
[30:31.590 --> 30:33.490]  It dropped 11 files.
[30:33.490 --> 30:41.330]  And I included the different folders that they got dropped to and other characteristics.
[30:41.330 --> 30:43.710]  So I thought that this was interesting.
[30:43.710 --> 30:45.450]  They used port zero.
[30:45.830 --> 30:51.190]  And so I just included stuff that I'm like, huh, this looks really interesting.
[30:51.190 --> 30:57.550]  They used DNS over HTTPS and things like that so that red team can kind of pick
[30:57.550 --> 30:59.730]  and choose what they want and don't want.
[31:01.030 --> 31:05.650]  And so basically this was literally junk data.
[31:05.650 --> 31:07.110]  Like, no one cared about it.
[31:07.110 --> 31:08.310]  It was blocked.
[31:08.310 --> 31:10.190]  Like, who cares, right?
[31:10.210 --> 31:14.030]  But the org was being targeted with it.
[31:14.030 --> 31:21.350]  So just a little bit, what, less than 24 hours that I spent with this particular sample,
[31:21.990 --> 31:29.030]  we got all of this information out of it, was able to map it back to Atomic Red Team or Google
[31:29.030 --> 31:36.250]  and, like, you know, stack overflow and all of that and get somewhat of some commands
[31:36.250 --> 31:43.370]  and behaviors, TTPs, associated with this that they can test within their own environment.
[31:43.370 --> 31:52.370]  And here's just some of the stuff that they can get from this data that's essentially junk.
[31:52.370 --> 31:53.610]  I mean, that's pretty good.
[31:53.610 --> 32:03.170]  They got a Yara rule out of it, custom, made by me, from threat actors that they're actively being targeted with.
[32:03.170 --> 32:13.150]  They got basically kind of a purple team exercise where, you know, if you know it's using this or it's doing that,
[32:13.150 --> 32:15.510]  you can look at your defenses prior to that.
[32:15.510 --> 32:18.430]  Do you have, you know, WMI, all of that.
[32:18.590 --> 32:26.670]  So building out a purple team exercise around this and working with adversary emulation teams,
[32:26.670 --> 32:34.290]  whether that's a dedicated person or a team or blue teamers filling the red team, who knows, right?
[32:34.290 --> 32:38.090]  Organizations have so many different things going on.
[32:39.170 --> 32:46.890]  So in summary, I'm going to leave it to you guys to decide if you think that junk data,
[32:46.890 --> 32:57.110]  essentially blocked data, can provide value to your organization and whether or not you can use that blocked data or even delivered data.
[32:57.110 --> 33:01.210]  You see what I do with blocked data, imagine delivered, right?
[33:02.110 --> 33:13.210]  So, you know, whether or not you can kind of tailor and use this information that's specific to your organization that's being targeted.
[33:14.010 --> 33:22.290]  Having the MITRE ATT&CK heat map and knowing where your coverage is in your environment that people talk about, right?
[33:23.150 --> 33:25.450]  Cyber War Dog talks about that.
[33:25.450 --> 33:28.370]  Olaf, like a ton of people.
[33:28.430 --> 33:35.170]  And so knowing that you can know where your weaknesses are, where your strengths are, where you have visibility, where you don't have visibility.
[33:35.170 --> 33:37.290]  And you can take this information.
[33:37.290 --> 33:46.710]  And as a threat intel analyst, you can see that you don't have to buy two computers to get some of this information.
[33:47.010 --> 33:54.310]  I really loved the Cape Sandbox and also Joe Sandbox and Malware Bazaar.
[33:54.310 --> 33:57.250]  Absolutely love, love them.
[33:57.250 --> 33:59.170]  Just combining all of it.
[33:59.170 --> 34:09.330]  And then also to the different sandboxes, they're not like I got different data from different ones, even though it was the same sample.
[34:09.470 --> 34:11.750]  So I just kind of compiled it all.
[34:11.750 --> 34:20.710]  And then some of the analysis I did on my own, I added additional TTPs that weren't on the actual heat map that I showed you at the beginning.
[34:20.870 --> 34:25.970]  So there's a lot that you can do with this based upon your organization.
[34:25.970 --> 34:33.970]  You can also create a threat library or threat actor dossiers, kind of, even though it's malware.
[34:33.970 --> 34:37.950]  But you can kind of start to paint a picture over time.
[34:37.950 --> 34:46.790]  So you see the Nigerian infrastructure and a Nigerian company sending you maliciousness.
[34:46.990 --> 34:49.250]  I'm not pointing fingers.
[34:50.130 --> 35:00.130]  So you can start to get a more holistic view of your threat landscape and what they could potentially be interested in.
[35:00.370 --> 35:05.930]  Obviously, if they wanted to disrupt your services, I mean, yeah.
[35:05.930 --> 35:09.010]  So I could talk a really long time about that.
[35:09.010 --> 35:16.750]  But I will leave that up to your conclusion and what you find valuable to your organization.
[35:16.750 --> 35:20.910]  And I just want to thank you so much for attending my talk.
[35:21.010 --> 35:23.010]  And that's it.
[35:23.430 --> 35:25.410]  Thank you. Enjoy DEF CON.
[35:25.410 --> 35:27.090]  And thank you.
[35:27.870 --> 35:32.310]  Thank you very much, Cheryl, for that wonderful presentation and talk.
[35:32.810 --> 35:46.370]  And as always, we recommend that you go to TrackTalk1 to direct your questions for the presenter on our Blue Team Village Discord.
[35:47.030 --> 35:54.310]  And if you have any questions, I'm sure she will be able to answer them.
[35:54.310 --> 35:56.990]  And I'm just going to look through real quick.
[35:56.990 --> 35:58.970]  I don't see any at the moment.
[35:59.450 --> 36:01.290]  So thank you very much.
[36:01.410 --> 36:02.310]  Thank you.
